Applying user specific NTFS permissions to all home directories using CLI

There are lots of useful command line tools for listing and modifying NTFS permissions such as cacls, icacls, subinacl, setacl and System Tools’ dumpsec and I will continue to enhance this post with useful real-world examples of each in time.

I’ll start with using cacls in a for loop to process a bunch of home directories, granting full control to each home directory for the specific user.  This can be useful after migrating home directories between domains, or just as a working example of a loop to process files or directories in some way.

for /f %f IN (‘dir /ad /b X:\homedirs\u*’) DO cacls X:\homedirs\%f /e /p %f:F

(Use %%f in place of %f in batch files)

The dir /ad /b command can also be written as dir /A:D /B and has the effect of listing only names of only directories.  This prevents files being processed, limiting the application of permissions to just the directories.  For additional safety, I’ve also used u* to only list directories beginning with u (this may vary in your own environment).

The cacls command simply adds username:F (username:Full Control) to the DACL on the folder, assuming that the username and directory names match (which they almost certainly do in any Windows environment).

If the command is successful, you should see “Processed dir: X:\homedirs\<foldername>“.  Check the permissions to see the new ACE.

As with all complex commands, test on some dummy data first.

A more detailed account of migrating home directories to emc VNX using the VNX Home Directory functionality can be found here http://www.cyberfella.co.uk/2014/07/30/vnx_homedirectory/

Note: This note was written hosting home directories on a NAS, however if you need to share individual home directories as their own hidden shares on an actual Windows Server, then this additional command will save you hours of repetitiously clicking the wizard over and over again…

Create a hidden share for each users home directory (Note: home directory must have appropriate NTFS security in place)

for /f %%f IN (‘dir /ad /b E:\MigratedData\homedirs\’) DO net share %%f$=E:\MigratedData\homedirs\%%f /GRANT:Everyone,FULL

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.